Secure processor and a program for a secure processor

ABSTRACT

The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.16/382,739, filed Apr. 12, 2019, which is a continuation of U.S.application Ser. No. 15/340,061, filed Nov. 1, 2016, which is adivisional of U.S. application Ser. No. 14/091,475, filed Nov. 27, 2013,which is a divisional of U.S. application Ser. No. 12/926,476, filedNov. 19, 2010, which is a divisional of U.S. application Ser. No.11/089,352, filed Mar. 25, 2005, which is based upon and claims thebenefit of priority from the prior Japanese Patent Application No.2004-194951, filed Jun. 30, 2004, the entire contents of which areincorporated herein by reference.

BACKGROUND OF THE INVENTION 1. Field of the Invention

The present invention relates to a system of assuring security forinformation processing systems such as computers. More precisely, itrelates to a secure processor and a program for the secure processor,which are capable of preventing operation of malicious execution codesas in computers and various kinds of equipment with a built-inprocessor.

2. Description of the Related Art

In the systems using a processor, operations can be described by aprogram so that those operations showing high flexibility and multiplefunctions can be easily mounted when compared to systems configuredentirely by hardware. Because of these features, processors have beenused in numerous systems such as personal computers, PDAs, cellularphones, and information household appliances and with the increasedpopularity of these systems, processing requiring higher levels ofsecurity as in e-commerce has been performed widely. Although a varietyof kinds of system-based measures such as encryption for line data anduser authentication have been taken in order to tighten security,software-level or processor-level security has become an issue whencoping with the spread of computer viruses and illegal accessing as wellas dealing with system-level security in recent years.

For example, as a variety of kinds of equipment with a built-inprocessor including cellular phones and information household appliancesare connected to networks, there is a high likelihood that thisequipment is also exposed to external threats similar to those ofpersonal computers. When precisely analyzing problems such as illegalaccess, the main cause is the fact that the malicious execution codesoperate within the terminals. It is important to prevent the maliciouscodes or undesirable codes from operating on a processor, but themeasures taken traditionally at the processor side to prevent theoperation of the malicious codes are not adequate at all. As a result,the problem remains that a secure software execution environment has notbeen provided.

Next, traditionally a processing is executed as follows: when storingdata and execution codes for instructions in the main memory device orin the secondary memory device, encryption is performed for assuringsecurity, and the encrypted data are then decrypted prior to the actualexecution of instructions and are stored in the cache memory within theprocessor, and the processing is executed. In this case, the hardwarefor executing the encryption processing is loaded externally on anotherchip which is different from the processor chip. Therefore, there wasthe problem that encryption processing performance such as processingspeed tends to become inferior.

Also, in such encryption processing, the encryption key used forencryption of data is determined at the side of encryption processing onthe external chip so that there are no relationships with the kinds ofinstructions to be executed at the processor side, supervisor/user modeor the access addresses for fetching the data or instructions. Inaddition, the problem remained that an appropriate encryption key cannot be selected in response to the instructions to be executed since theexecution unit at the processor side can not specify a key to be usedfor encryption and decryption.

The following literature is available as the prior art regarding thesecurity of this software execution environment.

-   Patent Reference 1: Japanese Patent Application Disclosure    2002-353960, “code Execution Apparatus and Code Distributing Method”

This document discloses a code execution apparatus wherein the encryptedexecution code is authenticated to confirm effectiveness of theencrypted code, and the secure processor fetches instructionscorresponding to the encrypted code in order to execute them as a securetask.

However, in this code execution apparatus, there are no relationshipsbetween the process corresponding to the execution code and the key usedfor authentication. For example, a problem could not be solved such thatif a malicious operation is performed in the operating system (OS) andthen if another authentication key is allocated in the program, themalicious code must be operated.

SUMMARY OF THE INVENTION

The first objective of the present invention is to provide a secureprocessor which continuously authenticates execution codes of a programstored in, for example, secondary storage unit based on the memorycontents as a base in the memory storing the encrypted instruction codesin a non-rewritable format, extends the range of secure reliableapplications in a stepwise manner and thereby can execute only thereliable operations.

The second objective of the present invention is to make it possible toselect a key to be used for encryption/decryption of the data andexecution codes by the instructions being executed as well as improvingthe encryption processing performance by installing an encryptionprocessing block on the same chip as that of the processor.

The third objective of the present invention is to improve the securityof the information processing by the processor by making only theexecution codes which have been successfully authenticated as executableby performing authentication of the execution codes using anauthentication key corresponding to the process at the time when storingthe process execution codes into the main memory.

The first secure processor of the present invention is a processorhaving a core which executes instruction codes which comprises a keystoring device, an instruction code storing device, an authenticationprocessing device, and an encryption processing device. The key storingdevice stores a specific key in the core. The instruction code storingdevice stores the encrypted instruction codes in a non-rewritableformat. The authentication processing device authenticates theinstruction codes including the instruction codes stored in theinstruction code storing device using the specific key or anauthenticated key using the specific key. The encryption processingdevice encrypts the input and output data between the core and theoutside.

The second secure processor of the present invention comprises aninstruction execution device, a load/store control device, and anencryption processing device. The instruction execution device executesinstructions. The load/store control device controls loading/storing ofthe data to the external memory in response to commands from theinstruction execution device. The encryption processing device performsencryption/decryption of the data between the load/store control deviceand the external memory. In addition, the instruction execution devicespecifies a key to be used for data encryption/decryption for theencryption processing device in response to the instructions beingexecuted.

The third secure processor of the present invention comprises aninstruction execution device, a load/store control device, and anencryption processing device. The instruction execution device executesinstructions. The load/store control device controls loading/storing ofthe data to the external memory in response to commands from theinstruction execution device. The encryption processing device performsencryption/decryption of the data between the load/store control deviceand the external memory. In addition, the instruction execution devicegives a signal which specifies a key to be used for dataencryption/decryption for the encryption processing device in responseto the access addresses of the data/instruction fetch by theinstructions being executed.

The fourth secure processor of the present invention comprises a secureprocess identifier generation device and a process information retentiondevice. The secure process identifier generation device generates asecure process identifier at the point when the process generationcommand is issued which is to be compared with a secure processidentifier corresponding to the page with a secure page flag showingthat the page storing the execution codes is correctly authenticatedprior to the execution of the process corresponding to the executioncodes. The process information retention device retains the generatedsecure process identifier as information related to the process.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing the principle configuration of thesecure processor according to the present invention;

FIG. 2 is a block diagram showing the basic configuration of theprocessor in the first embodiment;

FIG. 3 is a basic processing flowchart of the processor in the firstembodiment;

FIG. 4 is a flowchart showing the processing comprising a codeauthentication processing block and an encryption processing block;

FIG. 5 is a processing flowchart of the encryption processing block whendifferent keys are specified by the instruction area and the data area;

FIG. 6 is an explanatory diagram of a storage system of the encryptionkey encrypted by using a public key;

FIG. 7 is a flowchart of the storage processing for the encryption keyencrypted by using a public key;

FIG. 8 is an explanatory diagram of a storage system for the encryptionkey with the added signature of the certification authority;

FIG. 9 is a flowchart of the storage processing of the encryption keywith the added signature of the certification authority;

FIG. 10 is a processing flowchart when detecting an invalid instructionis detected;

FIG. 11 is flowchart of a key replacement processing for theinstructions stored in the data area;

FIG. 12 is a block diagram showing the basic configuration of theprocessor in the second embodiment;

FIG. 13 is a basic processing flowchart of the processor in the secondembodiment;

FIG. 14 is a block diagram showing both the basic configuration of theprocessor comprising a secure core and a normal core;

FIG. 15 is a basic flowchart of the processing in the processor shown inFIG. 14;

FIG. 16 is an explanatory diagram showing the abort control system for anormal core by a secure core in the processor shown in FIG. 14;

FIG. 17 is a flowchart showing the abort control processing for normalcore by a secure core in the processor shown in FIG. 14;

FIG. 18 is a configuration block diagram of the processor having a keygeneration mechanism corresponding to a secure core;

FIG. 19 is an actual explanatory diagram of a concrete example of thekey processing system in the processor shown in FIG. 18;

FIG. 20 is a block diagram showing the basic configuration of theprocessor in the third embodiment;

FIG. 21 is a configuration block diagram of the processor having a keytable memory in the third embodiment;

FIG. 22 is a block diagram showing the configuration of the processor inthe command access state in the third embodiment;

FIG. 23 is a block diagram showing the configuration of the processorhaving a key selection register corresponding to the key table memory;

FIG. 24 is a configuration block diagram of the processor having the keyselection register corresponding to the key table memory in the commandaccess state;

FIG. 25 is a diagram showing a configuration example of the key tablememory;

FIG. 26 is a block diagram showing a configuration example of theencryption circuit and the decryption circuit;

FIG. 27 is a diagram showing a configuration example of the encryptioncircuit and decryption circuit having a data passing over function;

FIG. 28 is an explanatory diagram for the read modify right systemcorresponding to the load store unit in the cache through system;

FIG. 29 is a block diagram showing the basic configuration of theprocessor shown in the fourth embodiment;

FIG. 30 is a configuration block diagram of the processor having a keytable memory which logic addresses are given;

FIG. 31 is a configuration block diagram of the processor having a keytable memory which physical addresses are given;

FIG. 32 is a diagram showing a configuration example (No. 1) of the keytable memory in the fourth embodiment;

FIG. 33 is another diagram showing a configuration example (No. 2) ofthe key table memory in the fourth embodiment;

FIG. 34 is the other diagram showing a configuration example (No. 3) ofthe key table memory in the fourth embodiment;

FIG. 35 is a block diagram showing a configuration of the processorcomprising the key table memory which a logic address and a physicaladdress are given;

FIG. 36 is a configuration block diagram of the processor comprising thekey selection register giving an address selection instruction to thekey table memory shown in FIG. 35;

FIG. 37 is a diagram showing a configuration example of the key tablememory shown in FIG. 35 and FIG. 36;

FIG. 38 is a block diagram showing a configuration of the processorhaving the key table within the memory management unit;

FIG. 39 is an explanatory diagram of the data access system shown inFIG. 38;

FIG. 40 is an explanatory diagram of the data access system in the casewhen a key table is installed in the address map register;

FIG. 41 is a block diagram showing a configuration of the processor forswitching keys based on the ON/OFF state of the memory management unit;

FIG. 42 is an explanatory diagram of an encryption/decryption system forswitching keys based on the ON/OFF state of the memory management unit;

FIG. 43 is an explanatory diagram of I/O signals of the execution unitin the third and the fourth embodiments;

FIG. 44 is a detailed configuration block diagram of the processorsystem in the fifth embodiment;

FIG. 45 is an explanatory diagram of a system for producing the securecontext identifier;

FIG. 46 is an explanatory diagram of a method for producing the securecontext identifier;

FIG. 47 is an explanatory diagram of a system for eliminating the securecontext identifier;

FIG. 48 is an explanatory diagram of authentication information added tothe execution codes;

FIG. 49 is an explanatory diagram of a storage system for a public keyto the authentication key register;

FIG. 50 is a flowchart of a storage processing for a public key to theauthentication key register;

FIG. 51 is an explanatory diagram of a storage system for an encryptedshared key to the authentication key register;

FIG. 52 is a storage processing flowchart of an encrypted shared key tothe authentication key register;

FIG. 53 is an explanatory diagram of a processing system at the time ofpaging-in to the physical memory;

FIG. 54 is a processing flowchart at the time of paging-in to thephysical memory;

FIG. 55 is a block chart showing the configuration of the authenticationunit;

FIG. 56 is an operation flowchart of the authentication unit;

FIG. 57 is an explanatory diagram for an access check system by thememory access control unit when using pages in the fifth embodiment;

FIG. 58 is a diagram explaining the operational example at the memoryaccess control unit;

FIG. 59 is a processing flowchart of a memory access control unit whenfetching instructions;

FIG. 60 is a diagram explaining an access control system when usingpages from the secure core and the normal core;

FIG. 61 is a configuration diagram of a processor having a mode registerfor switching between the secure mode and the normal mode;

FIG. 62 is a block diagram showing the configuration of the secure DMA;

FIG. 63 is a flowchart of a data transfer processing using the secureDMA;

FIG. 64 is a flowchart of a processing at the time of paging-in by theOS;

FIG. 65 is an explanatory diagram of a context information encryptionsystem in the seventh embodiment;

FIG. 66 is an explanatory diagram of a decryption system for the contextinformation;

FIG. 67 is an explanatory diagram of a falsification detectinginformation adding system for the context information;

FIG. 68 is an explanatory diagram of a falsification detecting system ofthe context information;

FIG. 69 is an explanatory diagram of an encryption system for thecontext information for secure operations;

FIG. 70 is an explanatory diagram of a falsification detectinginformation adding system for the context information for secureoperations;

FIG. 71 is an explanatory diagram of an encryption system of the pagetable entry;

FIG. 72 is an explanatory diagram of a decryption system of the pagetable entry;

FIG. 73 is an explanatory diagram of a falsification detectinginformation adding system to the page table entry;

FIG. 74 is an explanatory diagram of a falsification detecting systemfor the page table entry; and

FIG. 75 is a diagram explaining when loading a program to the computerto implement the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The embodiments of the present invention are described below in detailby referring to the attached drawings.

FIG. 1 is a block diagram showing the principle configuration of thepresent invention's secure processor. In this figure, the secureprocessor 1 of the present invention comprises a specific key storingdevice 2, an instruction code storing device 3, an authenticationprocessing device 4 and an encryption processing device 5.

The specific key storing device 2 stores a specific key, for example, aCPU specific key in the core which executes instruction codes in thesecure processor. The instruction code storing device 3, for example,the encrypted ROM code area, stores the encrypted instruction codes in anon-rewritable format. The authentication processing device 4 performsauthentication of the instruction codes containing the instruction codesstored in the instruction code storing device 3 using the specific keyand the encryption processing device 5 encrypts the I/O data between thecore and the external memory.

In the mode carried out in the present invention, the encryptionprocessing device 5 encrypts the authenticated instruction codes and canstore them in the memory device, for example, a main memory, which isconnected to the secure processor 1 on the page unit, and theauthentication processing device 4 can add authenticated information tothe instruction codes which are to be authenticated.

Next, the secure processor 1 shown in FIG. 1 can comprise cores forexecuting instruction codes: a secure core for executing only theinstruction codes authenticated by the authentication processing device4 and a normal core for executing the regular instruction codes whichare not authenticated.

In this case, the secure core is booted (activated) using the encryptedinstruction codes stored in the instruction code storing device and thesecure core can have a normal core booting device which boots the normalcore after the completion of booting of the secure core. In addition,the secure core can comprise a normal core monitoring device whichmonitors the operation of the normal core after booting the normal core,and when an abnormal state is detected, aborts the operation of thenormal core or carries out branching to the specific processing.

Next, a program for the secure processor of the present invention makesa computer execute the following procedures: a procedure of performingan activation processing using a program in a memory wherein encryptedinstruction codes are stored in a non-rewritable format; anauthentication processing block for performing an authenticationprocessing of the instruction codes including the instruction codesstored in the memory; a key management processing for managing theprocessor specific key; a procedure of setting up the operationprocessing for the key table where the key used forencryption/decryption processing of the instruction codes authenticatedby the authentication processing block; a procedure for performing theprogram authentication processing on a secondary memory using theauthentication processing block; and a procedure for carrying out theoperation as a key processing monitor executing the key processing whichis needed when executing the authenticated program including theactivated operating system.

The secure processor of the present invention comprises a instructionexecution device which executes commands, such as an execution unit, aload/store control device which controls loading and storing the datafor the external memory in response to the commands from the instructionexecution device, such as a load/store unit, and an encryptionprocessing device which performs encryption/decryption of the databetween the load/store control device and the external memory, such asan encryption circuit and a decryption circuit. The instructionexecution device specifies the key to be used for dataencryption/decryption for the encryption processing device in responseto the commands being executed.

In an embodiment of the present invention, the secure processor canfurther contain a key storing device which stores multiple keys, such asa key table memory, and the instruction execution device outputs the keynumber specified by the said key to the key storing device and the keystoring device can give a key to be used for data encryption/decryptionfor the encryption processing device in response to the key number.

Furthermore, this secure processor can further contain a key storingdevice which stores the key to be used for decryption of the commandfetched data loaded externally and when the instruction execution deviceis in the command fetching state, the key storing device can provide akey to be used for decryption of the fetched commands with theencryption processing device.

Furthermore, the secure processor of the present invention can comprisean instruction execution device which executes commands, a load/storecontrol device which controls loading and storing the data for theexternal memory in response to the commands from the instructionexecution device, and an encryption processing device which performsencryption/decryption of the data between the load/store control deviceand the external memory. The instruction execution device gives a signalwhich specifies the key to be used for data encryption/decryption to theencryption processing device in response to the data/command fetchaccess addresses based on the commands being executed.

In an embodiment of the present invention, the secure processor canfurther contain a key storing device which stores multiple keys, and theinstruction execution device outputs a logical address as the saidaccess address and the key storing device can give a key to be used fordata encryption/decryption to the encryption processing device inresponse to the logical address.

Alternatively, this secure processor can further contain a key storingdevice which stores the multiple keys, the load/store control deviceoutputs the physical address as an access address in response to thecommand given from the instruction execution device, and the key storingdevice can give a key to be used in encryption/decryption to theencryption processing device in response to the physical address.

The secure processor of the present invention also comprises a secureprocess (context) identifier generation device at the point when theprocess producing command is issued, which generates a secure processidentifier to compare with the secure process identifier correspondingto the page on which a secure page flag is set up to indicate that theexecution codes are properly authenticated prior to the execution of theprocess corresponding to the execution codes, and a process informationretention device, for example, a context information storage unit, whichretains the secure process identifier generated as information relatedto that process.

In an embodiment of the present invention, along with the addition ofauthentication information to the execution codes corresponding to thesaid process, the process information retention device can retain anauthentication key for the execution code authentication performedduring the survival period of the generated process.

Furthermore, this secure processor can further comprise anauthentication device which performs authentication of the executioncodes using the authentication key for every page after the executioncodes corresponding to the said process are stored in a spare page ofthe memory, and the secure process identifier is stored in the bufferwithin the processor in correspondence to the address of that page, andsets a secure page flag in that buffer when the authentication issuccessful.

Alternatively, this secure processor can further comprise a memoryaccess control device which compares the secure process identifier whichis stored in the said buffer prior to the actual execution of theexecution codes, and to which a corresponding secure page flag has beenset with the secure process identifier which is retained in the processinformation retention device, and is corresponding to the instructioncodes to be executed, and which allows the command execution unit whichexecutes commands to access a page on the memory where the executioncodes are stored when both identifiers agree with each other.

Additionally, this secure processor can also comprise a secure corewhich executes only the authenticated execution codes and a normal corewhich executes the regular execution codes which have not beenauthenticated, and each f cores has respective command execution unitsand a cache.

Moreover, this secure processor can also comprise a direct memory accessdevice which performs an arithmetic calculation which is necessary forauthentication of the execution codes while storing the execution codesin the memory, and which retains the results of the calculation to givethem to the authentication device.

Next, a program for the secure processor of the present invention is aprogram used by a computer which pages-in the page containing theexecution codes into the memory, which makes the computer execute thefollowing procedures: a procedure for requesting the transfer into thememory of the said page to the direct memory access mechanism in thecomputer; procedure for setting, in the page table entry in thetranslation look-aside buffer, data about a page on which a secure pageflag is set in order to indicate that the page storing the executioncodes are properly authenticated prior to the execution of the process,which include a secure process identifier to be compared with a secureprocess identifier corresponding to the page, and is generated at thepoint when the process producing command is issued after completing thetransfer successfully; and a procedure for requesting the hardware toauthenticate the page and to set the secure page flag indicating thesuccessful authentication in the page table entry.

Moreover, the program for the secure processor of the present inventionis a program used by the computer performing authentication of the pagecontaining the execution codes, which makes the computer execute thefollowing procedures: a procedure for performing hash arithmetic for thepage read in the memory; a procedure for decrypting the authenticationinformation added to that page; a procedure for comparing the hashoperation results and the decryption results; and a procedure forsetting a secure page flag which indicates the authentication of thepage was successful in the page table entry in the translationlook-aside buffer of the computer when the comparison results aredetected to be identical.

According to the present invention, the instruction codes encrypted inthe non-rewritable format retained in the processor are used as basicintegrity points, and the authentication of the program including theoperating system is performed so that the security level of the systemcan be substantially improved by expanding the range of the reliableprogram.

Further, according to the present invention, while the encryptionprocessing block is installed within the same chip as the processor toimprove the performance of the encryption processing, the data andexecution codes corresponding to the commands being executed can beencrypted. Therefore, the levels of encryption can be altered inresponse to the commands being executed so that the security level as asystem can be improved.

Moreover, according to the present invention, the instruction codes canbe authenticated prior to the execution of the instruction codes and theprocess can be executed. And after detecting the agreement between theprocess identifier corresponding to the process which a secure page flaghas been set and the process identifier of the process being executed,the process is executed. Therefore, the operation of the maliciouslyaltered execution codes on the processor can be prevented, and as aresult, a secure software execution environment can be provided.

The overall configuration of the secure processor of the presentinvention, and the outline of its processing are explained below as afirst embodiment.

FIG. 2 is a block diagram showing the basic configuration of the secureprocessor as the first embodiment. In this figure, the processor 10comprises a core 11 containing an execution unit and a cache, anencryption processing block 12 which performs a command processing withthe external interface and encryption/decryption of the bus data(program codes or data), a code authentication processing block 13 whichperforms authentication of the instruction codes, an encrypted ROM codearea 14 in which the most basic program used when activating theprocessor is encrypted and stored, and a CPU specific key 15 to performdecryption of the program stored in this code area 14. The operation ofthe encryption processing block 12 will be explained in detail later inthe third embodiment and the operation of the code authenticationprocessing block 13 will also be explained in detail later in the fifthembodiment.

While commands and data are transmitted between the core 11 and theencryption processing block 12, the key for encryption is controlled. Anauthentication interface is installed between the core 11 and the codeauthentication processing block 13. Moreover, the encryption processingblock 12 and the code authentication processing block 13 executeaccessing to the main memory 17, and the code authentication processingblock 13 executes accessing to the secondary memory 18.

FIG. 3 is an overall processing flowchart of a secure processor in thefirst embodiment.

When a power source is turned on in FIG. 1, at Step S1, the core 11shown in FIG. 2 decrypts the program stored in the encrypted ROM codearea 14 using a CPU specific key 15 and executes a booting (activation)processing. Because of the built-in ROM, falsification of the program isessentially difficult. However, even though falsification is carried outby a certain method, the program has already been encrypted and to carryout a meaningful falsification is difficult. Therefore, if the programis booted properly, it can be determined that no falsification has beenmade in the program. As a result, the program stored in the encryptedROM code area 14 can be assumed to be an absolutely reliable program.Then, this state can be defined as a basic reliable point of theprogram.

Regarding the encrypted ROM code area 14, if an AES (Advanced EncryptionStandard) method having a higher confidentiality than a DES (DataEncryption Standard) method performing encryption at 64 bit units [isused], this can be installed externally instead of inside the processor.In this case, in order to avoid estimation of the encryption key inresponse to the frequent patterns such as NOP of the instruction codesand All 0/All 1 of the data pattern, it is possible to use another modeother than ECB (electric code book) where the same encrypted sentence isalways output for the same plain sentence.

Subsequently, at Step 2, an operation processing for the key table(memory) as will be mentioned later which is installed in the encryptionprocessing block 12, a key management processing to perform generationof a public key and a secret key using the CPU specific key 15, andsetting up of a code authentication processing block 13 are executed andthe contents of the processing are defined as the same integrity points.

Subsequently, at Step S3, an authentication processing is performed forthe program stored in the secondary memory 18. In the first embodiment,the general programs including the operating system (OS) are stored onthe secondary memory 18 via hard disk and a network, and theauthentication processing is executed for these programs. Theauthentication processing will be explained later.

A group of programs for executing the said key table operationprocessing forms a library which is called a key processing monitor.Accessing the secure hardware 20 including the encryption processingblock 12, the code authentication processing block 13, and CPU specifickey 15 is limited to the segments operated by the key processing monitorat Step S4. The state when the key processing monitor is operated andaccessing secure hardware 20 is enabled is called access level 1. Accesslevel 1 is implemented by the hardware which monitors whether a programcounter indicates the addresses of the key processing monitor of thestep S4 in the fixed area.

The operations using the general programs including the said OS areclassified under access level 2 or access level 3 when compared to theaccess level 1. In the first embodiment, the OS is classified underaccess level 2, and when the OS is activated at Step S5, authenticatedprograms are executed at Step S6. The authenticated programs in theaccess level 2 can request key processing monitor, which is Step 4 inthe access level 1, namely for the key processing, and executeindirectly via the key processing monitor such as encryption of the ownspace or data encryption and decryption. Even the programs from outsideof the CPU are allocated as access level 2, if they are authenticated,can execute key processing. However, direct access to all the keysbesides the public keys or secure hardware 20 is disabled so that evenif there are some problems with the programs of level 2, key informationother than the public keys is not exposed to the outside.

The non-authenticated programs at the access level 3 are executed atStep S7 after activation of the OS at Step S5. The programs at theaccess level 3 can not access all the keys other than public keys andcan not request the key processing monitor key processing. Theprocessing from the Step S4 through Step S7 is executed using theinter-process communications among the programs at each access level.

As was mentioned above, in the first embodiment, when the bootingprocess carried out using the program stored in the encrypted ROM codearea 14 is successful at the time of activation of the processor, thebasic point of integrity of the program is established and as thereliable program range is expanded by performing authentication ofvarious kinds of programs including the OS using the basic point ofintegrity, the purpose of improving the security level of the systemsstep-by-step by the processor itself can be achieved. After initiatingthe operation, encryption of codes and data can be performed at eachunit of authentication so that sufficient integrity can be retained withregard to retention of confidentiality among programs. In the firstembodiment, the method explained implemented a processing at the accesslevel 1 as a software executed by the core of the processor, but aportion of the processing at the level 1 or the entire processing canalso be implemented as a micro code or a wired logic.

FIG. 4 is a flowchart showing the outlines of the processing by the codeauthentication processing block 13 and the encryption processing block12 in FIG. 2. In this figure, following the initial processing in thecode authentication processing block at Step S10, the processing in theencryption processing block is carried out at Step S11.

In FIG. 4, a code authentication processing is executed initially atStep S12 for the programs stored, for example, in the main memory 17 orin the secondary memory 18. The details of this processing will bedescribed later. Subsequently, whether or not authentication succeeds orfails is determined at Step S13. If authentication fails, a terminationprocessing is executed for the code execution at Step S14.

If authentication succeeds, a processing in the encryption processingblock starts and whether or not a key for encryption at Step S16 isspecified at each page unit is determined. If it is not specified, arandom key is generated using a random number generator and so on atStep S17, but if it is specified, the specified key is fetched at StepS18. The case when the key is not specified includes the case when thatpage is newly produced and so on, but the case when the key is specifiedincludes the case of repeated paging-in after the page produced is oncepaged-out or the case when encrypted page from the outside is stored.After the key is defined at Step S19, an encrypted page entry, namelythe page table entry (PTE) in the translation look aside buffer (TLB) aswill be mentioned later is generated and an encrypted page is allocatedto perform encryption of codes or data.

FIG. 5 is an overall flowchart of the code authentication and itsencryption processing when a different encryption key is allocated inthe same process command area and data area to perform encryption of thecodes. In this figure, Step S10, namely the processing by the codeauthentication processing block, is the same as in the case of FIG. 4.

If the code authentication succeeds in FIG. 5, whether or not a commandkey is specified as a key for the command area is determined at StepS21. If it is not specified, a random key is generated at Step S22, butif it is specified, the specified key is fetched at Step S23, and therandom key or the specified key is used at Step S24 to generate anencrypted command page table entry, namely PTE, and the encrypted pageis allocated in the command area to perform encryption of the commandarea.

Subsequently, whether or not a data key is specified as an encryptionkey in the data area is determined at Step S26. If it is not specified,a random key is generated at Step S27, but if it is specified, aspecified key is fetched at Step S28 to generate a page table entry forthe data at Step S29, and an encrypted page is allocated and encryptionis executed for the data area.

Subsequently, the operations for acquiring an encryption key in thefirst embodiment are explained with reference to FIG. 6 through FIG. 9.FIG. 6 and FIG. 7 are a configuration example of the inside of theprocessor in the encryption key acquisition operation example (No. 1),and a flowchart of its processing, respectively. In this example, it isassumed that a processor-specific RSA secret key is retained inside ofthe processor in advance in a secure system, a corresponding RSA publickey is output to the outside of the processor by a certain method, andan encryption key given from the outside has been encrypted by thispublic key. That is, for instance, an encryption key for encryption anddecryption at a page unit is a common key and re-encryption by a publickey is essential for retaining confidentiality.

FIG. 6 shows a configuration of the processor 10 for executing anencryption key setting processing into the processor. The inside of theprocessor comprises the following essential blocks: an encryption keysetting unit 21; a decryption unit 22; a processor-specific RSA secretkey 23; and a translation look aside buffer (TLB) 24. The interior ofthe TLB comprises a logic address table 25, a physical address table 26and a key table 27 which correspond to the said page table entry (PTE).A request for setting an encryption key including an encryption keyencrypted by the processor-specific RSA public key is given externallyto the encryption key setting unit 21.

FIG. 7 is a flowchart of the encryption key acquisition processing. Whenthe processing starts in this figure, initially an encryption keysetting request is received by the encryption key setting unit 21 atStep S31, the encrypted encryption key received by the decryption unit22 is decrypted using the processor-specific RSA secret key 23 at StepS32. The encryption key decrypted by the encryption key setting unit 21at Step S33 is stored in the key table 27 inside of the TLP 24 at StepS32 and the processing is terminated.

FIG. 8 is a configuration example of the processor in the encryption keyacquisition operation example (No. 2). In this figure, the following isthe difference in the processor 10 when compared to the example No. 1 ofFIG. 6: a signature verification unit 28 is provided in place of thedecryption unit 22; and a certificate of a certification authority 29 isstored as a public key of the certification authority in place of theprocessor-specific RSA secret key 23. It is assumed that thiscertificate of a certification authority 29 is recorded inside of theprocessor so as to avoid the illegal replacement of this certificate andan encryption key setting request including the encryption key with thesignature of the certification authority is given to the encryption keysetting unit 21.

FIG. 9 is a flowchart of the processing in the encryption keyacquisition operation example (No. 2). When the processing starts inthis figure, initially an encryption key along with the signature isreceived by the encryption key setting unit 21 at Step S36, the receivedencryption key is verified by the signature verification unit 28 usingthe signature and the public key of the certification authority at StepS37, whether or not the verification succeeds is determined at Step S38.If the verification succeeds, the encryption key received by theencryption key setting unit 21 is stored in the key table 27 inside ofthe TLB 24, and then the processing is terminated. Or, if theverification fails, the processing ends immediately. In order to improvereliability of the encryption key, it is possible to perform both theoperation example No. 1, that is, retention of confidentiality of theencryption key and the operation example No. 2, that is, identificationof the encryption key in combination.

FIG. 10 is a flowchart of the illegal command treatment processing whenan illegal command is detected while executing commands in the encryptedcommand area in the first embodiment. If an illegal command is detectedat Step S41 in this figure, whether or not the illegal command is acommand within the encrypted page is determined at Step 42, if it is acommand within the non-encrypted page, a regular illegal commandtreatment processing is carried out at Step S43. If it is determined tobe a command within the encrypted page, it is determined that commandfalsification is made at Step S44, and a process lock down as a commandfalsification treatment processing for falsification or cancellation ofthe suspended processing are executed to stop the execution of theinstruction codes.

FIG. 11 is a key replacement processing flowchart to prevent that acommand is detected as an illegal command prior to the execution of theinstruction codes stored in the data area in the case when differentencryption keys are allocated in the command area and in the data areafor the same process as explained in FIG. 5. Such storage of theinstruction code in the data area is occurred when a programmed 10(PIO), that is, copying of the command by the program, is performed.

In FIG. 11, initially, when the instruction code is copied in the dataarea by PIO at Step S46, a key replacement processing is booted at StepS47. In this processing, the data PTE corresponding to the data pagewhere the command was stored is read at Step S48, after the PTE isdeleted, the encryption key stored in that entry is fetched at Step S49.Further, using the contents of the data PTE, namely the encryption key,a command PTE which the key is stored in the key table 27 in FIG. 6 isgenerated. And, the command PTE is written in the TLB at Step S51, then,branching into the copying area where the command is copied is performedat Step S52, and finally the command stored in the copying area isexecuted.

In the first embodiment, only one core 11 including an execution unitand a cache is installed in the processor 10 as explained in FIG. 2, andthe core 11 plays, as secure core, the central role of the operation asthe secure processor. In contrast, in the systems called multiprocessorsystems or multi-core systems, the processing can be divided, forinstance, multiple cores can be classified to a secure core executingthe secure operation and a normal core executing the normal operation.Such a processor system will be explained below with reference to thesecond embodiment.

FIG. 12 is a basic configuration block diagram of a processor in thesecond embodiment. When compared to FIG. 2 showing the first embodiment,the following points are different: a secure core 31 and a normal core32 are installed in place of the core 11 in this figure; a bus interface33 is installed between these two cores 31 and 32 and the encryptionprocessing block 12 or the code authentication processing block 13; akey control is performed between the secure core 31 and the encryptionprocessing block 12; an authentication control is performed between thesecure core 31 and the code authentication processing block 13; andadditionally a CPU specific key 15 is connected only to the secure core31. Basically, the second embodiment is characterized in that theencryption processing block 12, the code authentication processing block13 and the CPU specific key 15 as the secure hardware as explained inFIG. 3 are controlled only by the secure core 31.

In the second embodiment, the access to the secure hardware 20 is onlylimited to the secure core 31. In the first embodiment, user softwaremay be involved in the operation of the key processing monitor at stepS4 in FIG. 2 as a secure operation and the access is limited by hardwaremonitoring of the program counter as mentioned previously. In the secondembodiment, the involvement of software is absent and there is noproblem with software bugs.

In the first embodiment, such access levels must be shared, for example,by the time sharing system using the same core. However, as a differentcore is used in the second embodiment, the amount of requestedprocessing for software such as register clear at the time whenswitching the access levels becomes less.

FIG. 13 is a basic processing flowchart of the processor used in thesecond embodiment. When compared to FIG. 3 showing the first embodiment,the following points are different in the processing. If the secure core31 and the normal core 32 in FIG. 12 are assumed to have basically equalrelationships, when power is turned on the respective core executes abooting process using the programs stored in the encrypted ROM code area14. That is, the encrypted programs are decrypted using the CPU specifickey 15 in the booting process by the secure core at Step S1 to executethe booting process. If the booting succeeds, this status is defined asa basic reliable point of the programs and subsequently, the secure corecontinues operations primarily, for example, as a key processingmonitor.

In contrast, the normal core 32 primarily becomes in charge ofprocessing equivalent to the access level 2 such as the OS. In responseto the fact that the authentication processing of the program on thesecondary memory is executed at the side of secure core at Step S3 inFIG. 13, the power is turned on at the normal core 32 side and a bootingprocess is executed by the programs in the encrypted ROM code area 14 atStep S55. Assuming that it is ascertained that the programs in theencrypted ROM code area 14 are absolutely reliable by the secure core31, a booting process at the normal core side ends basically without anyproblems and other booting processes such as the OS are continuouslyexecuted at Step S5.

FIG. 14 is a configuration block diagram of the processor when thesecure core and the normal core do not have equal relationships and whenthe normal core is controlled by the secure core in order to strictlyapply security in the second embodiment. When compared to FIG. 12 inwhich the secure core 31 and the normal core 32 have basically equalrelationships, the configuration components of the processor areidentical, but the difference is that core control signals are givenfrom the secure core 31 to the normal core 32. The actual examples ofthe core control signals include reset signals and interrupt signals.

FIG. 15 is a flowchart of the entire processing by the processor shownin FIG. 14. At the side of the secure core 31 in this figure, a systemauditing is further performed when setting up the key table operationprocessing, key management processing, and authentication processingblock at Step S57 instead of Step S2, following the booting process atStep S1. In this system auditing, the presence of the changes in thesystem configuration and the presence of the changes in the programs onthe secondary memory are verified in order to confirm that there are noproblems with the security functions of the system and the systemconfiguration.

Subsequently, the normal core is booted from the side of the secure core31 at Step S58 and in response, the program stored in the encrypted ROMcode area 14 is booted at Step S59 at the side of the normal core 32.The subsequent processes are the same as those in the case shown in FIG.3.

FIG. 16 is an explanatory diagram of the stop control processing of thenormal core as one of the control processing of the normal core 32 bythe secure core 31 in the processor shown in FIG. 14. In this figure,for example, when the authenticated program is performed at the side ofthe normal core at Step S6, a key processing is requested forauthentication of the data is requested to the side of the secure core31. When failure of authentication in the operation of the keyprocessing monitor at Step S4 and violation in the security standardsare detected, the processing by the normal core 32 such as execution ofthe authenticated programs at Step S6 and execution of thenon-authenticated programs at Step S7 are aborted by an instruction fromthe side of the secure core 31.

FIG. 17 is a flowchart of the control processing of the normal core 32by the secure core 31 as shown in FIG. 14. A booting is executed at theside of the secure core 31 at Step S61. When the process is completed atStep S62, a booting control of the normal core 32 is performed at theside of the normal core 32. Then, the normal core is booted at Step S63,and regular processing which does not require keys and authenticationprocessing are executed at the side of the normal core at Step S64. Atthe tide of the secure core 31, an authentication/monitoring processingusing the monitoring information sent from the side of the normal core32 is always performed at Step S65. Whether or not errors are generatedis determined at Step S66. If there are no errors, the subsequentprocesses after Step S65 are continued, but if there are errors, theprocessing at the side of the normal core 32 is aborted by requestingabort or an interrupt to the side of normal core 32. To control thenormal core by the secure core, for example, reset signals as mentionedabove can be used, but as another method, NMI (non-mask interrupt) forthe CPU can be used.

FIG. 18 is a configuration block diagram of the processor having a keygeneration mechanism in the second embodiment. In addition to theconfiguration shown in FIG. 12, the processor of FIG. 18 furthercomprises a key generation mechanism 34.

FIG. 19 is an explanatory diagram for generation of a key by the securecore and an encryption processing using the generated key in the secondembodiment. In this figure, the secure core 31 in the processorgenerates a public key Ke, N and a secret key Kd35 using the CPUspecific key 15 and the key generation mechanism 34. For example, itnotifies the public key Ke and N to the outside of the processor via thenormal core 32. In this case, the secret key Kd is not delivered to theside of the normal core 32 and the normal core 32 can not execute anykey processing other than the public key as mentioned previously.

If an encrypted statement C which has been encrypted using the publickey and the original text P is entered externally to the normal core 32,the normal core 32 requests a decryption processing to the secure core31 since the normal core 32 does not hold the secret key Kd.Subsequently, the secure core 31 decrypts the text P using the secretkey Kd.

Next, the third embodiment of the invention is explained below. FIG. 20is a basic configuration block diagram of the processor in the thirdembodiment. The processor 40 in this figure comprises an execution unit41, a load/store unit 42, an encryption circuit 43, and a decryptioncircuit 44. In addition, the load/store unit 42 comprises a cache memory45 and a memory management unit 46.

The third embodiment is a processor which executes basically secureoperations as in the first and second embodiments. It is basicallycharacteristic in that an encryption key for storing and a decryptionkey for loading are specified in the processor 40 from the executionunit 41 for the encryption circuit 43 which performs encryption of thestored data and for the decryption circuit 44 to decrypt the loaded dataincluding the fetched commands as in the encryption processing block inthe first embodiment.

In the third embodiment shown in FIG. 20, a plain text is given as acommand and a stored data from the execution unit 41 to the load/storeunit 42, and a loaded data is given as a plain text from the load/storeunit 42 to the execution unit 41. The command is given to the mainmemory or to the secondary memory as explained in FIG. 2 via theload/store unit 42, and the stored data as a plain text are given to theencryption circuit 43, and then output to the main memory as anencrypted stored data. Or the encrypted loaded data input from the mainmemory are decrypted by the decryption circuit 44 to be given as loadeddata as a plain text to the load/store unit 42.

FIG. 21 is a configuration block diagram of the processor having a keytable memory storing the encryption key and decryption key in the thirdembodiment. In this figure, the key table memory 47 stores an encryptionkey for encryption of the stored data, and the key table memory 48stores a decryption key for decryption of the loaded data. From theexecution unit 41, a key number instruction for storing and a renewalinstruction of an encryption key are given to the key table memory 47and a key number instruction for loading and a renewal instruction fordecryption key are given to the key table memory 48. The configurationof the key table memory will be described in detail later.

FIG. 22 is a configuration block diagram of the processor having a keytable memory storing a decryption key for command fetching in order toperform decryption of the command to be fetched in the third embodiment.In this figure, the execution unit 41 performs a processing in thecommand access state to fetch the commands stored in, for example, themain memory. For example, the command fetched data as loaded data fromthe main memory are given to the decryption circuit 44, and in thiscase, the execution unit 41 gives a command access state flag to the keytable memory 48. The decryption circuit 44 performs decryption of thecommand fetched data using a decryption key for command fetching outputfrom the key table memory 48, and the command fetched data as a plaintext are given to the execution unit 41 via the load/store unit 42. Fromthe execution unit 41, if desirable, a renewal instruction of decryptionkey for command fetching is given to the key table memory 48.

FIG. 23 is a configuration block diagram of the processor having a keyselection register which gives a key number instruction to be used forthe key table memory in the third embodiment. In this figure, a keyselection register 51 is installed to give a key number instruction forstoring to the key table memory 47, between the key table memory 47storing the encryption key for storing and the execution unit 41, and akey selection register 52 is installed to give a key number instructionfor loading to the key table memory 48 between the key table memory 48storing the decryption key for loading and the execution unit 41. Arenewal instruction of a key selection register for storing is givenfrom the execution unit 41 to the key selection register 51 and arenewal instruction of key selection register for loading is given fromthe execution unit 41 to the key selection register 52.

In contrast to the fact that in FIG. 21, a key number instruction isoutput in response to the respective execution command from theexecution unit 41, a register renewal instruction is given at a certaininterval of the commands in FIG. 23, and encryption/decryption isperformed using the same key until the next renewal instruction isgiven. In addition, it is possible that both a direct route for givingthe key number instruction from the execution unit to the key tablememory, and an indirect route via the key selection register areinstalled such that a signal to give an instruction for which route ofinstruction the execution unit 41 should use in response to theexecution command is given to the key table memory.

FIG. 24 is a configuration block diagram of the processor having the keyselection register corresponding to the command access state of theexecution unit in the third embodiment. In this figure, as in FIG. 22,the execution unit 41 is in a command access state to fetch commandsfrom, for example, the main memory and a command access state flag isgiven from the execution unit 41 to the key selection register 52, andthe key selection register 52 gives a key number instruction for commandfetching corresponding to the key table memory 48 storing the decryptionkey for command fetching.

FIG. 25 is an explanatory diagram of the configuration example of thekey table memory in the third embodiment. In this figure, thecorresponding encryption key and its attributes are stored in the keytable memory. The execution unit 41 gives a key number instructiondirectly or via the key selection register to the key table memory, andthe key number is used as read address. And an encryption key or adecryption key is given along with the specification information of theencryption method for the encryption circuit 43 or decryption circuit44, or attribute data indicating the necessity of encryption. A keyrenewal number instruction given from the execution unit 41 is used as awrite address and the key renewal data are written.

The attribute data of each entry indicate validity/invalidity of theentry, ON/OFF of encryption, and encryption methods and encryptionmodes, and an encryption key which depends upon the encryption methods.The data instructing ON/OFF of the encryption correspond to theinstructions when loading and storing the plain text data withoutperforming encryption/decryption as will be described later.

FIG. 26 is an explanatory diagram of the configuration example of theencryption circuit or decryption circuit in the third embodiment. Forexample, the decryption circuit 44 in FIG. 20 is basically configuredwith a decryption pipe 55 and a bus arbiter 57. The decryption pipe 55operates in response to the input of the command information via thecommand buffer 59 from the execution unit 51. The decryption pipe 55 isan N-state pipe to decrypt to the plain text data, the encrypted dataentered via the bus from, for example, the main memory. This N-stagepipe is formed by connecting N-stages of processing 56 which is aschematic example of a one step of common key encryption processing. Theplain text data output from the decryption pipe 55 is then stored in,for example, the cache memory 45 shown in FIG. 20 via the bus arbiter57.

The encryption circuit 43 basically comprises an encryption pipe 60 anda bus arbiter 61. For instance, a 32-bit plain text data is given fromthe cache memory 45 to the encryption pipe 60 and the encrypted datawhich are encrypted by the N-stage pipe using the encryption keyspecified from the execution unit 41 are output to the bus connected to,for example, the main memory via the bus arbiter 61. The operations ofthe encryption pipe 60 are controlled by the command information givenfrom the execution unit 41 via the command buffer 59 as in the case ofdecryption pipe 55. In addition, the basic structure of the processingat each stage of the encryption pipe 60 is the same as that in thedecryption pipe 55. Moreover, a variety of encryption methods includingAES128, DES and SC2000 are available as encryption methods. As for AESmethods, specifications of AES192 and AES256 have already beenregulated.

For example, the bus arbiter 61 performs arbitration for the busconnected to the main memory or secondary memory device and hasbasically no relationship to the operations of the secure processor inthe present invention.

FIG. 27 is a block diagram showing the configuration of an encryptioncircuit and decryption circuit in which a portion of the data is left asplain text data instead of performing encryption for the entire data,for instance, a data passing function is added so that the data areinput and output between the main memory. In this figure, the basicconfigurations of the encryption circuit and the decryption circuit arethe same as those in FIG. 26. However, at the side of the encryptioncircuit, the data which are not needed to be encrypted in the plain textdata given from the cache memory 45 are given directly to the bypassselector 63 without going through the encryption pipe 60 and are storedin any of multiple bypass buffers 64 along with the encrypted dataoutput from the encryption pipe 60 and then given to the bus connectedto the main memory via the bus arbiter 61.

The selection by the bypass selector 63 for the plain text data orencrypted data is also controlled by the command information from theexecution unit 41 via the command butter 59. Since it takes time toperform processing by the encryption pipe 60, it is possible for theplain text data not requiring encryption to pass the encrypted data tobe given to the side of the main memory by the control using the bypassselector 63. The key which is necessary for encryption in FIG. 27 isgiven to the encryption pipe 60 via the key register 69.

For example, among the data carried from the bus connected to the mainmemory, the plain text data which have not been encrypted are directlygiven to the bypass selector 66 without going through the decryptionpipe 55, stored in one of multiple bypass buffers 67 using the bypassselector 66 along with the plain text data which have been decrypted bythe decryption pipe 55, and then output to the cache memory 45 via thebus arbiter 57.

FIG. 28 is an explanatory diagram of the read modify write system forthe write-through cache system in the third embodiment. If the cachememory 45 uses a write-through system, the data are not stored in thecache memory 45 if cache errors occur while being stored and the dataare directly stored in the main memory. If the size of the data to bestored is less than 1 byte, a 1 byte data is stored in the main memory.However, in the third embodiment, the stored data are basicallyencrypted initially by the encryption circuit 43 and then stored in themain memory. In the process of encryption, a certain amount of data isrequired as stored data so that even though the data are encrypted by 1byte and stored in the main memory, it is difficult to perform properdecryption.

In the load/store unit 42 in FIG. 28, for example, if it is necessary tostore 1 byte data in the main memory, the data in the length which isnecessary for the encryption process are loaded from the main memory andcombined with 1 byte data to be stored. And then, the combined dataundergo a read modify write operation such that the combined data areencrypted and stored in the main memory.

That is, for instance, if the cache store command at (1) that 1 bytedata should be stored in the cache is determined to be an cache error at(2), a load as a command is issued from the cache memory 45 to the mainmemory at (3), the loaded data of the plain text via the decryptioncircuit 44 are stored in the read modify write (RMW) buffer 71 at (4),and the data to be stored at (5) are given to the RMW buffer 71 at (5),the data to be stored and the loaded data are combined and the combineddata are given to the encryption circuit 43 at (6), and a store as acommand issued at (7) for the main memory.

Next, the fourth embodiment of the present invention will be explainedbelow. The difference between the fourth embodiment and the thirdembodiment is as follows. In contrast to the fact that the key numbersof the encryption key used in the encryption circuit and of thedecryption key used in the decryption circuit, for example, the keynumbers are specified by the execution unit 41 in the third embodiment,the access addresses of the data to be stored or loaded are specified bythe execution unit 41 when executing the commands by the execution unit41, and an encryption key or a decryption key is selected based on theaddresses.

FIG. 29 is a basic configuration block diagram of the processor in thefourth embodiment. The processor 40 shown in the figure comprises a keytable memory 73 which gives an encryption key for storing to theencryption circuit 43 and a decryption key for loading to the decryptioncircuit 44 in response to the addresses given by the execution unit 41,in addition to the execution unit 41, the encryption circuit 43, and thedecryption circuit 44.

FIG. 30 is a configuration block diagram of the processor in which keysare selected in response to the logical addresses of the stored data orloaded data specified by the execution unit. Unlike the processor shownin FIG. 29, the processor 40 in this figure comprises a key table memory74 for storing the encryption key for storing and a key table memory 75for storing the encryption key for loading, as well as a load/store unit42 which is equipped with a cache memory and a memory management unit46, like as in the processor shown in FIG. 20. The addresses given fromthe execution unit 41 to the load/store unit 42, namely the addresses ofthe stored data or loaded data are logical addresses, and these logicaladdresses are then given to the key table memory 74 or 75 to selectencryption keys for storing or decryption keys for loading. The selectedkeys are then given to the encryption circuit 43 or decryption circuit44. From the execution unit 41, the renewal instruction of encryptionkey for storing is given to the key table memory 74 and the renewalinstruction of decryption key for loading is given to the key tablememory 75.

FIG. 31 is a configuration block diagram of the processor for which keyshave been selected in response to the physical addresses of the data inthe fourth embodiment. When compared to the processor shown in FIG. 30,physical addresses of the stored data or physical addresses of theloaded data are given from the load/store unit 42 respectively for thekey table memory 74 or 75, and an encryption key for storing is given tothe encryption circuit 43, and a decryption key for loading is given tothe decryption circuit 44.

FIG. 32 is a configuration diagram of the key table memory in the fourthembodiment. When compared to FIG. 25 in the third embodiment, if 32 bitsfrom 0.sup.th bit to the 31.sup.st bit are given as access addresses ofthe data from the side of the execution unit, the stored encryption keysare selected using these addresses as read addresses, and given alongwith the encryption attributes to the encryption circuit 43 or thedecryption circuit 44. If different keys are used for every 4 k bytes asread addresses of the memory, addresses from the 12.sup.th bits to the31.sup.st bits are used to select an encryption key. In this case, the 4k bytes as will be mentioned later correspond to the size of 1 page inthe main memory. If the 4 k bytes are called as address unit forencryption, the entry data of the key table memory include address tagsafter excluding bytes equal to the total number of entries multipliesthe address unit. For example, if the number of total entries is 32 (5bits), the addresses from the 17.sup.th bits to the 31.sup.th bitsbecome the address tag.

FIG. 33 is an explanatory diagram of the key table memory having aconfiguration of multiple ways in the third embodiment. The key tablememory in this figure is comprised of multiple tables from the key table1 to the key table 4, and keys and encryption attributes stored in oneof the four tables corresponding to the access addresses given from theside of the execution unit are selected to be given to the encryptioncircuit 43 or decryption circuit 44.

FIG. 34 is an explanatory diagram of a configuration example of the keytable memory using an associative memory system. In this figure, accessaddresses 32 bits are classified into any one in the range of targetaddresses corresponding to the encryption key stored by the comparisonselector 77, the encryption keys corresponding to the classified rangeare selected to be given to the encryption circuit 43 and to thedecryption circuit 44 along with encryption attributes. In FIG. 34, theaddress tags which are obtained by excluding the amount of address unitregardless of the total number of entries are included in the entries.If the address unit is 4 k bytes, addresses from the 12.sup.th bits tothe 31.sup.st bits become the address tags.

FIG. 35 is a configuration block diagram of the processor in which keysare selected in response to either the logical addresses or physicaladdresses of the data in the fourth embodiment. In this figure, logicaladdresses of the data are given from the execution unit 41 or physicaladdresses are given from the load/store unit 42 to the key table memory74 or 75, respectively. Alternatively, selection instructions of logicaladdress and physical address for the stored data are given to the keytable memory 74 from the execution unit 41. And, selection instructionsof logical address and physical address for the loaded data are given tothe key table memory 75 from the execution unit 41. In response to theseselection instructions, keys corresponding to any of the logicaladdresses or physical addresses are selected and given to the encryptioncircuit 43 and the decryption circuit 44, respectively.

FIG. 36 is a configuration example of the processor comprising of a keyselection register which gives selection instructions of logical addressand physical address to the key table memory. When compared to FIG. 35,respective key selection registers 78 and 79 are installed between theexecution unit 41 and the key table-memory 74 or 75, respectively, andselection instructions of logical address and physical address for thestored data, and selection instructions of logical address and physicaladdress for the loaded data are output to the key table memory 74 and75. From the execution unit 41 to the key selection registers 78 and 79,respective renewal instructions of key selection register are given.

FIG. 37 is a configuration example of the key table memory in FIG. 35and FIG. 36. In this figure, the key table memory has a physical addresskey table and a logical address key table, and a physical key and alogical key are output in response to the respective physical addressesand logical addresses. And, in response to the key selectioninstructions from the side of execution unit 41, or the selectioninstructions from the key selection register, either physical keys orlogical keys along with encryption attributes are output to theencryption circuit 43 or decryption circuit 44 by the logical andphysical key selection unit 81.

FIG. 38 is a configuration example of the processor having contents ofthe key table memory as a key table in a memory management unit (MMU) 46inside the load/store unit 42 in the fourth embodiment.

FIG. 39 and FIG. 40 are explanatory diagrams of a storage format of thekey information in this memory management unit and a cache memory accesssystem, respectively. Generally, correspondences between the logicaladdresses and physical addresses are stored in each entry in response toeach page in the physical memory in the translation look aside buffer(TLB) inside the MMU 46. In FIG. 39, a key information corresponding tothe page is stored in each entry of the TLB. For instance, if the dataaccess address is a logical address, an entry which matches with thelogical address is selected and the data attribute and access attributein response to the entry are checked by the attribute check 83 and thena command generated by the cache command generation 84 is sent to thecache memory 45.

At the side of the cache memory 45, a tag is retrieved in response tothe contents of the command received. In the case when cache hit, thedata response is immediately returned to the side of the execution unit41, whereas in the case when cache missed, a command corresponding tothe tag is issued to the encryption/decryption bus interface containingencryption circuit 43 and decryption circuit 44. In this case, the keyinformation and the physical addresses which are read from the entry areused, for instance, after the response data from the main memory aredecrypted, the decrypted data are stored in the cache memory and thenthe data responses are returned to the execution unit 41.

FIG. 40 is an explanatory diagram of the key information storage formatwhen an address map register (AMR) is installed in place of the TLB inthe memory management unit. In this figure, the informationcorresponding to the storage contents of the TLB is stored in theregister instead of memory. For instance, the page size can be variableso that a large data area can be covered by a single entry.

FIG. 41 is a configuration example of the processor in which anencryption key is given from the execution unit 41 to the encryptioncircuit 43 and a decryption key is given to the decryption circuit 44 insuch a state that the operation of the memory management unit (MMU) inthe load/store unit is halted, namely in the OFF state. In this figure,the ON/OFF signal of the MMU is given to the encryption circuit 43 andto the decryption circuit 44. The encryption circuit 43 or thedecryption circuit 44 uses a key given from the execution unit 41 if thesignal is OFF, or it uses a key given from TLB 87 of the interior of thememory management unit 46 or AMR 88 if the signal is ON in order toexecute encryption or decryption processing.

FIG. 42 is an explanatory diagram of the key switching system in theencryption circuit or in the decryption circuit in FIG. 41. In thisfigure, the configuration of the encryption circuit or the decryptioncircuit is basically the same as FIG. 26 in the third embodiment, but akey selector 90 is added. A key given from the execution unit isselected by the key selector 90 at the time of OFF and a key given fromTLB or AMR is selected by the key selector 90 at the time ON accordingto the values of the MMU ON/OFF signals given from the execution unit,and the selected key is then given to the encryption pipe 60 or thedecryption pipe 55.

FIG. 43 is an explanatory diagram of the I/O signals of the executionunit in the third or fourth embodiments. In FIG. 20 in the thirdembodiment, the essential signals include a load encryption key, a storeencryption key, a stored data and a command as output signals, andloaded data as input signals (circle marks), and access addresses andload/store status signals are signals which are present structurally(triangle marks).

In FIG. 21, the output signals of a load key number instruction insteadof a load decryption key and those of a store key number instruction areessential. In addition, due to the fact that renewal of the key tablememory has an equal value to the register access in view of theexecution unit, register-related I/O signals also become essential.

In FIG. 22, the I/O signals corresponding to the command access statusare necessary, and the execution status signal as an output signal, andthe command fetched data as an input signal are considered as essential.

In FIG. 23 and FIG. 24, a key selection register is added in addition tothose used in FIG. 20 and FIG. 21, register-related I/O signals are alsoessential.

The following explanation is simplified and only a characteristicportion is explained. In summation of FIG. 21, FIG. 22, and FIG. 23, inaddition to the I/O signals when the three cases are combined,supervisor/user status signals indicating that which of supervisor anduser the process to be performed corresponds to, and context, that is,the data of the process ID (identifier) are added. These supervisor/userstatus signals and context ID data are used for selecting the encryptionkeys and decryption keys in addition to the key number instructionsignals output from the execution unit in the third embodiment.

Those after FIG. 29 correspond to the fourth embodiment. The accessaddresses to the data become the essential output signals. Further, thekey selection instruction signals for selecting either logical addressesor physical addresses are also output in FIG. 35 and FIG. 36.

In FIG. 38, because a key table is added to the TLB in the memorymanagement unit, the register-related signals are present from theaspect of configuration. In addition, the figure shows the cases whensupervisor/user status signals and context ID data are added. Theseadded signals are used for selecting encryption keys and decryption keysas well as access addresses in the third embodiment.

FIG. 41 includes a case when using a key output from the execution unitis used in response to the values of the status signals indicatingON/OFF of the memory management unit (MMU) and a case when using a keyoutput from the TLB is used. As a result, all the I/O signals becomeessential as well as supervisor/user status signals and context ID data.

As mentioned above, in the third and fourth embodiments, keys arespecified from the execution unit for encryption/decryption of the dataand instruction codes so that an encryption processing can be performedat such a level corresponding to the commands to be executed. Also, dueto the specification of encryption/decryption keys by the key selectionregister or access addresses, an encryption processing can be carriedout for every program units or for every access, thus, a processing tobe performed can be selected in response to diverse situations.

Next, the fifth embodiment of the present invention will be explainedbelow. The fifth embodiment demonstrates a more precise configuration inorder to implement secure operation of the secure processor presented asthe first embodiment. Setting of an authentication key and operationssuch as authentication of the process in order to further improvereliability of the process (programs) will be explained in detail belowcorresponding to its configuration.

FIG. 44 is a functional configuration diagram which is necessary in theprocessor in order to explain the fifth embodiment. In this figure, theprocessor 100 is connected to a physical memory 101, for instance, amain memory 17 in FIG. 2, an I/O device 102, for instance, a secondarymemory 18.

The processor 100 comprises a memory access control unit 105 whichcontrols accesses to a physical memory 101 and an I/O device 102, acommand interpretation unit 106 which interprets the commands to beexecuted, an authentication unit 107 which performs an authentication ofthe page storing the execution code, an encryption/decryption andsignature generation/verification unit 108 which performs, for instance,encryption/decryption of the page which has been authenticated, a securecontext identifier generation unit 109 which generates a secure contextidentifier corresponding to a process, namely a context, when generatingthe process a secure context identifier elimination unit 110 whicheliminates the corresponding identifier when eliminating the process, aprocessor specific key 111 which is used for encryption an authenticatedinformation primary storage unit 112 which stores the authenticatedinformation corresponding to the physical page stored in, for instance,the physical memory 101, and a secure DMA 113 for direct memoryaccessing when accessing the memory.

The interior of the processor 100 comprises the translation look asidebuffer (TLB) 114 as explained in FIG. 39 and a context informationstorage unit 115. TLB 114 stores the page table entry (PTE) 122 whichindicates correspondences between the logical addresses and physicaladdresses with reference to, for instance, physical page. And thecontext information storage unit 115 comprises a program counter (acounter to retain the value of the program counter) 117, a securecontext identifier register 118 storing the secure context identifier,an authentication key register 119 storing the key required forauthentication, and a group of registers 120.

Also, the physical memory 101 stores, for instance, the execution codesfor every unit of physical page 124, and the I/O device 102 storesexecution codes and the data are stored in the format whichauthenticated information 126 is added for every unit of page 125. Inthe seventh embodiment, the authentication of the execution code of thecontext (process) whose the secure context identifier is stored in thesecure context identifier register 118 is carried out using anauthentication key stored in the authentication key register 119.

FIG. 45 is an explanatory diagram of a method of generating a securecontext identifier corresponding to the context when a program operatedon the processor, for example, a program used by users, is activated anda context generation command is issued. The context generation commandis given to the command interpreting unit 106 in the processor, a securecontext identifier is generated by the secure context identifiergeneration unit 109 in response to the results of the interpretation,and its value is set in the secure context identifier register 118. Inthe fifth embodiment, the system is configured so that the value can beset in the secure context identifier register 118 only by this method.Therefore, it is impossible to tamper the secure context identifier soas to disguise another context. The context is a concept basically basedon object-oriented programming. More generally, it corresponds to theexecution status of a process, that is, the execution status of aprogram. In the fifth embodiment, the term “context” is used instead ofprocess.

FIG. 46 is an explanatory diagram for an actual method of generating asecure context identifier. A random number generator 127 as shown inthis figure or a monotonous increment counter 128 can be used for itsgeneration. The probability that the same values are generated as randomnumbers is not zero and after the initial one cycle, the counter valuespresent the same values. Thus, strictly, uniqueness as an identifier cannot be guaranteed. However, it is possible to substantially avoid theoccurrence of such a problem by using a secure context identifier with asufficiently long bit length.

Alternatively as shown in the figure, the existing context ID of theprocessor can be combined with an output of the random number generator127 at the joint unit 129, or with an output of the monotonous incrementcounter 128 to generate a secure context identifier. The existingcontext ID is an arbitrary value which is set up by the OS and itsuniqueness is not generally guaranteed.

FIG. 47 is an explanatory diagram of a method of eliminating the securecontext identifier. In this figure, when the program operated on theprocessor issues a context elimination command, the processor makes thecontents of the secure context identifier register 118 invalid. Themethod of invalidation can be achieved by 0 clearance or a storage areais given for a flag expressing valid/invalid in the register and thenthe flag can be set to be invalid.

FIG. 48 is an explanatory diagram of authentication, for example,information 126 to be added to the execution code 125 for every unit ofpage in FIG. 44. In the authentication key register 119 in the contextinformation 115 within the processor, a key is stored for anauthentication processing of the execution code 125 by using theauthentication information 126 is stored. For example, if an electronicsignature by RSA is used as the authentication information, a RSA publickey is used as an authentication key, but if SHA (secure hashalgorithm)-1 HMAC (hash-based message authentication code) are used as ashared key system, the authentication key is a value of 20 bytes.

A key is stored in the authentication key register 119 when a context isgenerated by the OS, namely at the stage when the context information isinitialized, while checking legitimacy of the authentication key at thesame time. If the authentication key itself is generated by a hostileperson and the authentication information corresponding to the maliciousexecution code is generated using this key, the authenticationprocessing itself succeeds without any problem and the authenticationfunctions by the processor become disabled. Therefore, how thelegitimacy of the authentication key is guaranteed is an importantsubject of concern.

FIG. 49 is an explanatory diagram of a key setting system in theauthentication key register in the case when the authentication key is apublic key. In this figure, the authentication key used is assumed to bea RSA public key, and a certificate of the certification authority whichis a public key of the certification authority 134 is, for instance,embedded in the processor when shipped from the factory so thatsubsequent replacement and modification are disabled. The authenticationkey to be set in the authentication key register 119 is given in theform of a signature by the certification authority secret key. Forexample, when the context is generated, an authentication key settingcommand is given to the processor, its command is interpreted by thecommand interpretation unit 106, and an authentication key is stored inthe authentication key register 119 after the authentication key isverified by the signature verification unit 108. As a result, only thepublic key signed by the certification authority is set up in theauthentication key register.

FIG. 50 is a flowchart of the authentication key setup processing inFIG. 49. In this figure, initially an authentication key setup commandis fetched by the command interpretation unit 106 at Step S71, thefetched public key is verified using a signature and the public key ofthe certification authority by the signature verification unit 108 atStep S72. Whether or not the verification is successful is determined atStep S73. If it succeeds, the public key included in the setup commandfetched by the command interpretation unit 106 is stored in theauthentication key register 119 and the processing is terminated. Whileif verification fails, the processing is terminated immediately.

FIG. 51 shows a key setup system in the case when the authentication keyis a shared key and FIG. 52 is a flowchart of the key setup processing.If a shared key is used as an authentication key, it is necessary toreceive an authentication key by a secure method from the side whichadds the authentication information to the execution code. In this case,it is assumed that a HMAC key which has been encrypted using the RSApublic key is received along with the authentication key setup commandand then stored in the authentication key register 119 after decryptionusing a decryption unit 108 using a processor-specific RSA secret key137 at the processor side.

In the flowchart shown in FIG. 52, an authentication key setup commandis fetched by the command interpretation unit 106 at Step S76, theencrypted HMAC key included in the command is decrypted by thedecryption unit 108 using the processor-specific RSA secret key 137 atStep S77, the decrypted HMCA key is stored in the authentication keyregister 119 by the command interpretation unit 106 at step S78 andthen, the processing is terminated.

FIG. 53 is an explanatory diagram of a paging-in system in which anexecution code of the context whose secure context identifier has beengenerated is stored in the main memory, namely in a physical page of thephysical memory 101, and the physical page is authenticated in order toenable to start execution of the processing. FIG. 54 is a flowchart ofthe paging-in processing.

In this paging-in processing, initially the execution code is stored inthe physical page and various data in the page table entry (PTE) aresetup by the OS, the OS requests as an authentication request for thecontext, namely the physical page that the authentication unit 107 setsup a secure page flag field. The physical page is authenticated by theauthentication unit 107 in response to the request, and a flag of thesecure page flag field is set up such that use of PTE becomes enabled.

Once the processing starts in the processing flowchart in FIG. 54, theexecution code is stored in the spare physical page by the OS at StepS80, the top address of the physical page and the top address of thecorresponding logical page are set as a physical address and a logicaladdress in the PTE in the TLB by the OS at Step S81, and the value ofthe secure context identifier is set in the PTE at Step S82. Forexample, as explained in FIG. 45 and FIG. 46, on the assumption that thesecure context identifier which is generated when the context generationcommand is issued and the secure context identifier which is stored inthe secure context identifier register 118 can be read by the OS, the OSsets up the read secure context identifier in the PTE.

Subsequently, if desirable, read/write attributes for that page are setin the PTE by the OS at Step S83, and the OS requests the authenticationunit 107 as a hardware to set up a secure page flag field at Step S84.It is primarily assumed that the OS itself has already beenauthenticated and setting a secure page flag field is basically an OStask, but, here, the authenticated OS requests the hardware to set up aflag.

At Step S85, an authentication processing is executed at theauthentication unit 107. The details of this processing will bedescribed later. In this processing, the physical page is authenticatedusing an authentication key of the context corresponding to the securecontext identifier and the authentication information stored in theauthentication information primary storage unit 112. Then, whether ornot the authentication succeeds is determined at Step S86. If itsucceeds, the flag of the secure page flag field is set up and its PTEbecomes available for use. In contrast, if it fails, the flag of thesecure page flag field is reset and its PTE is disabled for use, and arecovery or error processing is carried out by the OS at Step S89.

The primary target of the processing shown in FIG. 54 is a processorwhich can directly set a value for the PTE in the TLB. However, forexample, in the processor wherein a value is set for PTE on the mainmemory and the TLP acts as a cache, the processes from Step S80 to StepS83 are carried out for the PTE on the main memory and the operationsafter Step 84 are carried out at a time when the contents are stored inthe cache in the TLB.

FIG. 55 is a configuration example of the authentication unit 107 shownin FIG. 53, and FIG. 56 is a flowchart of the authentication processingat Step S85 shown in FIG. 54. In this case, a SHA-1 hash value iscalculated for the entire page and compared with the results ofdecryption of the electronic signature. As shown in FIG. 56, it isnaturally possible to implement the operation of the authentication unit107 as a processing by software rather than by hardware.

In FIG. 55, the physical page 125 is divided in a portion of 64 byteswhich is given to the SHA-1 hash operator 140, where the hash values onthe entire page are calculated and given to the comparator 142. Incontrast, the RSA electronic signature stored in the authenticatedinformation primary storage unit 112 is given to the RSA decryptiondevice 141 along with the RSA public key stored in the authenticationkey register 119 and the decrypted hash values as its output arecompared with the output of the SHA-1 hash operator 140 by thecomparator 142. The authentication is determined to be successful ifthey match each other, whereas it is determined to be a failure if theydo not match each other.

In the authentication processing shown in FIG. 56, the physical page isread by 64 byte units at Step S90, a hash operation is carried out atStep S91, and whether it reached the end of the page is determined atStep S92. If it did not reach the end of the page, the processing atStep 90 and after is repeated.

If it reached the end, the electronic signature proceeds with thedecryption processing using the RSA public key at Step S93 and theresults of decryption are compared with the results of hash operation atStep S94. If they match each other, a secure page flag field is set upat Step S95, whereas if they do not match each other, the secure pageflag field is reset at Step S96 to end the processing.

As mentioned above, in the fifth embodiment, the execution code isauthenticated when paging-in the execution code into the physical memory(main memory) and a secure page flag indicating that the authenticationwas successful is set up.

Next, the memory access control when executing the commands on thephysical page in the present invention will be explained with referenceto the sixth embodiment. FIG. 57 is an explanatory diagram of a memoryaccess control system when executing the commands on the physical page.In this figure, if a meaningful value is present in the secure contextidentifier register 118, and if a secure page flag field of the PTE 122is set up, and if the value of the identifier stored in the securecontext identifier register 118 and the value of the context identifieron the PTE 122 match each other, execution of the commands on thephysical page 124 is permitted. This control is carried out by thememory access control unit 105. In this case, checking read/writeattributes of the data and supervisor attributes corresponding to thephysical page are not directly related to the contents of the presentinvention and are performed separately.

FIG. 58 is an explanatory diagram of the operational example of thememory access control unit 105. In this figure, the contents enclosed bythe thick dotted line correspond to the memory access control unit 105.In addition, the secure page flag field and the secure contextidentifier are included as attribute data of the PTE in the TLB 114.

As in FIG. 39, if an access is made using the logical address as anaccess address, the attribute data of the PTE selected by this addressare read and compared with the access attribute by an attribute check146. If the checked results are OK, a cache command 147 is generatedusing the physical address read corresponding to the logical address andthe attribute checked results, and for example, a tag 148 in the cachememory 45 is retrieved, and the data response is directly returned inthe case when the cache is hit. Whereas in the case when the cache ismissed, for example, the data loaded from the main memory are stored inthe cache memory via the queue and bus interface 149, and the dataresponse is returned to the execution unit.

FIG. 59 is a processing flowchart of the memory access control unit 105when fetching the commands. If a logical address is output for commandfetching by the command execution unit 144 shown in FIG. 57, attributedata of the PTE corresponding to the logical address specified at StepS98 are selected. And whether or not the current context, namely thecontext to be currently executed is a secure context, that is, whetheror not the context has a valid secure context identifier is present, ischecked at Step S99. If the current context is a secure context, whetheror not a secure page flag field (SPF) of PTE corresponding to thecontext is set up is checked at Step S100. If it is set up, whether ornot the secure context identifier of the current context, namely theidentifier stored in the secure context identifier register 118 matcheswith the secure context stored in the PTE is determined.

If matching, read/write attribute and supervisor attribute as pageattributes corresponding to the context are checked at Step S102. If itis OK, a cache command is generated for outputting the physical addressto the cache for command fetching at Step S103 to end the processing.

If the current context does not have an effective secure contextidentifier at Step S99, whether or not a secure page flag field (SPF) inthe corresponding PTE is set up is determined at Step S104; if it is notset up, no secure context identifier is set up and the same executioncode as normal without authentication should be processed and it shiftsto the processing at Step S102. If the results of the decision at StepS100 and S102 are NO, it will be treated as an error processing at StepS105 to terminate the process. A process of dissociating the logicaladdress into the top address of the logical page and the offset valuesin the page and a process of adding the top address of the physical pageand its offset values are necessary, but these processes are notdirectly related to the present invention and an explanation will beomitted.

FIG. 60 is an explanatory diagram of a memory access control system inthe processor having a secure core and a normal core. In this figure,the normal core 152 performs only the conventional processes, which arenot related to the processes by the encryption processing block 12 andthe code authentication processing block 13, as those shown in FIG. 12in the first embodiment, while the secure core 151 can execute secureoperations including the authentication control of the codeauthentication processing block including the control of the operationsby the encryption processing block which are not explained in FIG. 44.

In FIG. 60, with the control by the memory access control unit 105, thesecure core 151 is allowed to use the physical page corresponding to thePTE in which a secure page flag field has been set up, but it iscontrolled that the normal core cannot use the page.

In FIG. 44, the code authentication processing block controlled by thesecure core includes the memory access control unit 105, whichcorresponds to an authentication unit 107, an encryption/decryption,signature generation/verification unit 108, a secure context identifiergeneration unit 109, a secure context identifier elimination unit 110, aprocessor-specific key 111, an authenticated information primary storageunit 112, a secure DMA 113, a secure context identifier register 118, anauthentication key register 119, and a secure page flag field and asecure context identifier in the PTE 122.

In FIG. 60, basically the secure core 151 executes only the executioncodes in the physical page in which the authentication processing iscompleted and a secure page flag field is set up in the PTE, and thenormal core 152 executes only the regular codes which have not beenauthenticated. However, it is possible that the normal core can beconfigured so that the authenticated codes in addition to the regularcodes can be executed by the normal core.

FIG. 61 is a configuration block diagram of a processor having a core ofswitching between the secure mode and the normal mode. In this figure, amode register 155 is installed in the core 154 and the page in which asecure page flag field is set up can be used only in the case of asecure mode. Switching between the secure mode and the normal mode canbe carried out by a method using an interrupt as a trigger as in thecase of switching between the normal user mode and the kernel mode, butanother method can be used.

FIG. 62 is an explanatory diagram of a page data transfer system to thephysical memory 101 using the secure DMA 113 in FIG. 44, as a memoryaccess control system. FIG. 63 is a flowchart of a data transferprocessing using the secure DMA 113. For example, in the paging-inprocessing in FIG. 53 and FIG. 54, page data as execution codes areinitially stored in the physical page and these execution codes are thenauthenticated. However, since an authentication processing requires aprocessing such as calculation of the hash values, in this embodiment,the hash values are calculated at each transfer unit of the page data,and the results of the calculation are retained as interim results ofthe hash operation. These processing are repeated, and the hashoperation is completed at the end of transfer so that the results can beused in the subsequent authentication processing.

The secure DMA 113 in FIG. 62 comprises a transfer source address of thedata from the core 154, transfer destination address, a transfermanagement unit receiving the transfer size 157, a data reader 158 whichreads data from the I/O device 102, a hash operator 159 for carrying outhash operation, a data writer 160 which writes page data in the physicalmemory 101, and a physical page top address retaining unit 161 whichretains the top address of the physical page and the hash values for thepage.

When a processing starts in FIG. 63, the following procedures are taken.Using the program operated on the core 154, generally by the transfermanagement unit 157 which received instructions such as the transfersource address from the OS. The data reader 158 is instructed to readthe next 64 byte data from the I/O device 102, and the 64 byte data areread by the data reader 158 at Step S111. The hash operator 159 isinstructed to perform hash operation by the transfer management unit 157at Step S112 and the hash operation is performed by the hash operator159 at Step S113. The interim results are retained and, a data writer160 is instructed to write 64 byte data to the physical memory 101 isinstructed by the transfer management unit 157 at Step S114 and the 64byte data are written in the physical memory 101 by the data writer 160at Step S115. Whether or not the data transfer of one page is completedis determined at Step S116. If it is not completed, the processes fromStep S110 are repeated, whereas if it is completed, a pair of hashvalues and the physical page top address as a transfer destinationaddress is given by the transfer management unit 157 to a retention unit161 to end the processing.

FIG. 64 is a processing flowchart when executing codes including thememory access control. This figure is a processing flowchart during thepaging-in typically by the OS and a characteristic point of the presentinvention is the processes enclosed by the bold line. When a processingstarts, initially the transfer source/destination address, transfer sizeare instructed to the secure DMA 113 at Step S120 and whether or not thetransfer succeeds is determined at Step S121. If it is successful, avariety of information are set up in the PTE within the TLB at Step S122like as in Steps S81 through S83 shown in FIG. 54, and a request is madeto set up a secure page flag field at Step S123 like as in Step S84.After an authentication process is executed at the authentication unit,whether or not a flag is set successfully is determined at Step S124. Ifit is successful, the processing ends. If the transfer fails at StepS121, or if setting fails at Step S124, the processing terminatesimmediately.

As mentioned above, according to the sixth embodiment, an accessing evenof the execution codes which have been successfully authenticated isonly allowed after checking the secure context identifier and the securepage flag field.

Finally, the seventh embodiment of the present invention will beexplained with reference to FIG. 65 through FIG. 74. In the seventhembodiment, when context information and PTE corresponding to thecontext switches is evacuated to, for example, in the main memory,encryption for protecting data or addition of falsification detectioninformation are carried out. For example, in the first embodiment, theauthenticated execution codes are encrypted and then stored in thephysical memory. In contrast, in the seventh embodiment, the contextinformation is encrypted before being stored in the physical memory.

FIG. 65 is an explanatory diagram of an encryption method for thecontext information. In this figure, the entire context informationstored in the context information storage unit 115 as explained in FIG.44 is encrypted using the processor-specific key 111 by an encryptiondevice 165 and the encrypted context information 166 is then stored inthe physical memory 101.

FIG. 66 is an explanatory diagram of a decryption method for thecorresponding context information shown in FIG. 65. The encryptedcontext information 166 stored in the physical memory 101 is decryptedby a decryption device 168 using the processor-specific key 111 when itbecomes necessary by the context switch and the decrypted contextinformation is stored in the context information storage unit 115.

FIG. 67 is an explanatory diagram of a system of adding falsificationdetection information to the context information. For the contextinformation stored in the context information storage unit 115 in thisfigure, falsification detection information 170 is generated by anfalsification detection information generator 169 using theprocessor-specific key 11 and stored in the physical memory 101 alongwith the context information.

FIG. 68 is an explanatory diagram of an falsification detection systemfor the context information using the corresponding alternationdetection information shown in FIG. 67. In this figure, using thefalsification detection information 170 added to the contextinformation, an falsification using the processor-specific key 111 isdetected by an falsification detector 172.

FIG. 69 is an explanatory diagram of a context information encryptionsystem for encrypting only context information 175 for secure operationamong the contest information stored in the context information storageunit 115, when context information which is needed for secure operationis differentiated from the regular context information. According tothis method, a regular context information 176, namely the contextinformation such as existing context ID is treated without encryption asbefore without modifications in the portions in the core of theprocessor as much as possible so that only the contents of storage inthe authentication key register 119 and the in the secure contextidentifier register 118 are encrypted as the context information forsecure operation 175.

For the existing context ID, it is possible to store the same value asthe secure context identifier as operation of the OS. For example, ifthe OS is rewritten by malicious codes, there is no guarantee that thevalues of the two identifiers become identical. If the processor isconfigured such that the processor can be operated only when the samevalues are achieved, a security that the processor will not be operatedunless the same values are achieved is retained and there will no moreproblems.

In FIG. 69, only the context information for secure operation 175 isencrypted using the processor-specific key 111 by theencrypter/decrypter 174 so that the encrypted context information 177 isstored in the physical memory 101, while the regular context information176 remains as a plain text context information 176 to be directlystored in the physical memory 101.

FIG. 70 is an explanatory diagram of a context information storagesystem which stores falsification detection information added to thecontext information for secure operation 175 in the physical memory 101.In this figure, falsification detection information 180 is generated forthe context information for secure operation 175 using theprocessor-specific key 111 by an falsification detection informationgenerator/falsification detector 179, and is stored in the physicalmemory 101 along with the contest information for secure operation 175and regular context information, namely plain text context information176. In this case, encryption has not been applied to the values ofprogram counters and the values of the register group as regular contextinformation, but in order to further improve reliability, it isnaturally possible to apply encryption to the regular contextinformation or to add falsification detection information.

FIG. 71 through FIG. 74 are explanatory diagrams of protective systemsfor the contents stored in the page table entry (PTE) 122. FIG. 71 showsan encryption system of PTE. The contents stored in the PTE 122, thatis, values of secure page flag field, secure context identifier, logicaladdress and physical address values are encrypted by the encrypter 165using the processor-specific key 111 and the encrypted PTE 183 is storedin the page table 182 in the physical memory.

FIG. 72 is an explanatory diagram of a decryption system for thecorresponding encrypted PTE shown in FIG. 71. In this figure, theencrypted PTE 183 stored in the physical memory 101 is decrypted usingthe decrypter 168 using the processor-specific key 111 and is stored asPTE in the TLB 114.

FIG. 73 is an explanatory diagram of an falsification detectioninformation addition system to the PTE and FIG. 74 is an explanatorydiagram of an falsification detection system for the PTE. In FIG. 73, anfalsification detection information 185 for the PTE 122 is generatedusing the processor-specific key 111 by the falsification detectioninformation generator 169 and is stored in the page table 182 along withthe PTE 122.

In FIG. 74, falsification is detected in the PTE 122 stored in the pagetable 182 by the falsification detector 172 using the alternationdetection information 185 and the processor-specific key 111.

As mentioned above, in the seventh embodiment, encryption andfalsification detection are performed for the context information andPTE used by the secure processor so that the security of informationprocessing is further improved.

A secure processor of the present invention and a program for the secureprocessor were described in detail above. It is possible to use thissecure processor as a basic component of the general computer systems.FIG. 75 is a configuration block diagram of such a computer system,namely the hardware environment.

A computer system shown in FIG. 75 comprises a central processing unit(CPU) 200, a read only memory (ROM) 201, a random access memory (RAM)202, a communication interface 203, a memory device 204, I/O device 205,a mobile storage medium reading device 206, and a bus 207 connecting allof the components.

As memory devices 204, various types of memory devices such as a harddisk and magnetic disk can be used. The programs are shown in FIG. 3through FIG. 5, FIG. 7, FIG. 9 through FIG. 11 and in other flowcharts,and programs are described in claims 7, 19 and 20, in the scope of thepresent invention, are stored in such memory devices 204 or ROM 201 andwhen these programs are executed by the CPU 200, operation of a secureprocessor, setting of an encryption key, code authentication processingand encryption processing can be carried out in the embodiments of thepresent invention.

These programs can be stored in the memory devices 204 by the programproviders 208 via network 209 and communication interface 203, or theycan be stored in mobile memory media which have been distributedcommercially, set in a reading device 206 and executed by the CPU 200.As mobile memory media 210, a variety of types of memory media such asCD-ROMs, flexible disks, photo disks, photo magnetic disks, and DVDs canbe used. The secure processor in the mode of the present invention canbe operated when the programs stored in such memory media are read bythe reading devices 206.

1. A processor comprising: a first execution unit configured to performa first operation in which an access to a secure address space ispermitted; a second execution unit configured to perform a secondoperation in which an access to the secure address space is prohibited;and a memory access control unit configured to access a physical addresscorresponding to a virtual address by referring to a flag of a pagetable entry in a translation look-aside buffer, wherein, only when thefirst execution unit outputs the virtual address, the memory accesscontrol unit permits an access to the physical address within the secureaddress space in which the flag of the page table entry is set to avalue indicating that a corresponding address space is secure, andwherein, by executing a first instruction code stored in the secureaddress space by the first execution unit, a second instruction code ischecked by the first execution unit before the second instruction codeis executed by the second execution unit.
 2. The processor according toclaim 1, wherein the first instruction code is stored in anon-rewritable memory.
 3. The processor according to claim 1, whereinthe page table entry further includes a virtual address, a physicaladdress corresponding to the virtual address, and an identifier thatindicates secure context.
 4. The processor according to claim 1, whereinthe second instruction code is executed by the second execution unitafter the second instruction code is checked.
 5. The processor accordingto claim 1, wherein the first execution unit is a secure core whichincludes a code authentication processing block and performs a secureoperation including an authentication processing of the secondinstruction code and the second execution unit is a normal core whichperform a normal operation.
 6. The processor according to claim 1,wherein the memory access control unit further includes a cache memorycontaining at least a tag and data corresponding to the tag, and thedata is directly returned to the first execution unit without accessingoutside of the memory access control unit when cache is hit.